Creating a Media5 Device Host Certificate with OpenSSL

Transcription

1 For All Mediatrix Units v

2 Table of Contents Table of Contents Generating a Private Key 3 Creating a Certificate Signing Request (CSR) from a Private Key 4 Signing the CSR file by Your Own Certificate Authority (CA) 5 Signing the CSR by a Third Party Certificate Authority (CA) 6 Self-signing the CSR File 7 Combining the Private Key and the Signed Certificate 8 Importing a Host Certificate to the Mediatrix Unit 10 Documentation 11 Copyright Notice 12

3 3 Generating a Private Key 1) Enter openssl genrsa -aes256 -out your_device.key 2048 Note: The following step is optional. 2) Enter cp your_device.key your_device.key.orig 3) Enter openssl rsa -in your_device.key.orig -out your_device.key to remove the passphrase. Example [root@localhost mycert]# cp key key.orig [root@localhost mycert]# openssl rsa -in key.orig -out key Enter pass phrase for key.orig: writing RSA key [root@localhost mycert]# Result A private key is generated with: a length of 2048 bits encryption with a 256 bit AES algorithm. The output filename is your_device.key. Next Step Creating a Certificate Signing Request (CSR) from a Private Key (p. 4)

4 4 Creating a Certificate Signing Request (CSR) from a Private Key Enter openssl req -new -key your_device.key -out your_device.csr -sha256 Result A CSR is generated from the private key created in the Generating a Private Key (p. 3) procedure with a SHA256 signature algorithm. This is a result example. [root@localhost mycert]# openssl req -new -key key -out csr -sha256 Enter pass phrase for key: You are about to be asked to enter information that will be incorporatedinto your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankfor some fields there will be a defaultvalue, If you enter '.', the field will be left blank. ----Country Name (2 letter code)[xx]:ca State or Province Name (full name[]:quebec Locality Name (eg, city) [Default City]:Montreal Organization Name (eg, company) [Default Company Ltd]:Media5 Organizational Unit Name (eg,section)[]:tac Common Name (eg, your name or your server's hostname)[]: Address[]:tac@ Please enter the following 'extra'attributes to be sent with your certificate request A challenge password [] :An optional company name []: [root@localhost mycert]# Next Step Signing the CSR file by Your Own Certificate Authority (CA) (p. 5) Use this procedure if your certificates are signed by a Certificate Authority you have access to. Signing the CSR by a Third Party Certificate Authority (CA) (p. 6) Use this procedure if your certificates are signed by a Certificate Authority you do not have access to. Self-signing the CSR File (p. 7) Use this procedure if your certificates are self-signed, i.e. security is not an issue.

5 5 Signing the CSR file by Your Own Certificate Authority (CA) Use this procedure if your certificates are signed by a Certificate Authority you have access to. Enter openssl x509 -req -extfile host_ext.cnf -extensions host_ext -sha256 -days 3652 in your_device.csr -CA CA.crt -CAkey CA.key -CAserial CA.srl -out your_device.crt Note: CA.key is the private key of your CA CA.crt is the CA s public certificate CA.srl is the serial number file 3652 days is the validity period of the certificate host_ext.cnf defines the usage of the certificate. It contains: [ host_ext ] basicconstraints = CA:false keyusage = digitalsignature, keyencipherment, dataencipherment extendedkeyusage = serverauth, clientauth Result This is a result example. [root@localhost mycert]# openssl x509 -req -extfile host_ext.cnf -extensions host_ext -sha256 -days in csr -CA CA.crt -CAkey CA.key -CAserial CA.srl -out crt Signature ok subject=/c=ca/st=quebec/l=montreal/o=media5/ou=tac/cn= / address=tac@ Getting CA Private Key Enter pass phrase for CA.key: root@localhost mycert]# When the certificate will be imported to the Mediatrix unit, the information defined for the keyusage of the host_ext.cnf file will be displayed in Management>Certificates/Host Certificates table, under the Usage column. Next Step Combining the Private Key and the Signed Certificate (p. 8)

6 6 Signing the CSR by a Third Party Certificate Authority (CA) Use this procedure if your certificates are signed by a Certificate Authority you do not have access to. Send your CSR to the Third Party Certificate Authority agency responsible for signing your Certificate Signing Request. Note: VeriSign or Entrust are examples of Third Party Certificate Authority Agencies. Next Step Combining the Private Key and the Signed Certificate (p. 8)

7 7 Self-signing the CSR File Use this procedure if your certificates are self-signed, i.e. security is not an issue. Enter openssl x509 -req -extfile host_ext.cnf -extensions host_ext -sha256 -days 3652 in your_device.csr -signkey your_device.key -out your_device.crt IMPORTANT: The command must be entered on a single line, otherwise it will not work. Note: host_ext.cnf is a file containing the following which defines the usage of the certificate: [ host_ext ] basicconstraints = CA:false keyusage = digitalsignature, keyencipherment,dataencipherment extendedkeyusage = serverauth, clientauth Next Step Combining the Private Key and the Signed Certificate (p. 8)

8 8 Combining the Private Key and the Signed Certificate Information The host certificate required by the Mediatrix contains two parts: the private key and the signed certificate. Enter cat your_device.key your_device.crt > your_device.pem

9 9 Result This is a result example: [root@localhost mycert]# cat key crt pem [root@localhost mycert]# more pem -----BEGIN RSA PRIVATE KEY----MIIEowIBAAKCAQEAuxKDO66oKOigcHQ1r1lnXLiQT9R0oQkE/ppODo9vXZVsc8D6 uyfldrodnm6wbhbbrhlgbfsz5nvhwz2kcsjjb2thehdxuskls/4ewmvelcrzgygh +qjharwymyqdeqryrd/rqkdgnr2j9goczbrxbfawytlgacje4xlpy317jyr7yrll Qfv2hZAXqSdutmYJCysO405oEv1Dv7kfIDQvxP74Qsh0JgmW4Kq0eQdkfo+Xkwlp pidyyihi+5tgwz4yomrbzhzfkf+vdwogaesy2x+qcmhp81gr+spefhzzn9ouk0ha DpjAPgKWUaaJPHrC8k+gsu6WiO+dCRcUWnX47QIDAQABAoIBAQCnEMFia3iCED44 L5BCKPXGOI2ovXPq3MM5HVTYbABo8ykHtzA0Ln8NNU5GD1PiqMNHklO/A6D9z39l yeud9fksr85dloy3yhruqwx4zxjkjhrppdb6aobquosnlnvg4wjfpynfinepf4ko EbmJJyEQjHlxiCIiUROsfM5mTInPSZ3Glgm9l3gRZCBBLLf6js+NilYYi2ASyw6i F1+Kxw0KTvxKa1TR0HYH35urPW528dFyZp8/f2QUUSM4aN5uQrKj8jDwEOIORsW6 +ybzmopibbs2i+cbmtdgr5kjjle1+7dmy3k/humuke+fpzijf3v8vffsrucaqcxq 1lg33ogBAoGBAOjZLXyIiz1ORC/poRyMEhQ8xRUQaZiI279/J7N426F1G4An8yUl 8Qcmj2PXraLwnl6kX08Mmul7DN78BD0C7LSKK17PIFMH3NV8vWM8eWaE7nP9EqAJ l0ltogn2t+wenl/mc551xebccg9ifg+pfnjf8kdpjqte+8u4bet4dyqxaogbam2s K9vLoXoxJ5Oay+ojTMYSuqPfEIND9WuzUJvLAjtgJGKUJsXYUnk5zVZ2IYRMt2EV ncuasemwcomgdflimcaehuzgurg6t0pb7u2fwyilm+zjqucxl66p7zrq/3hc2q+y 61mJ3lEay/IIrksS807PCk/k8q9tmGOYg7mQcP19AoGATzg8coceIFB1gHuTFdxN 9laqkr0PwBan9OH1BumSh78JCTQOVFAxTcZ/uG9TowEMUJTJ3GIkflUgDuldI8jP 8aikktATZkxhhLy4zn9vqkKFwi6S3KIGtX1yZGVKsbN+rNaJa5rwwnCU4A+g3AFF hx+jisvumafhtvswmxq1olecgyaomyrxmaua33gl39uangwlwalfr0wovooazv+0 Mol3RY0JdWyORR5LVtEmj94gK7FM1qJlqFv34kzCTTpTyM9ILNxQgxsAYBfN7mSI unopzj5yyfr9r7jdxqk3uimnrtugejxtej427w5y86nnoqks1w2xjogphxi+gr9w pibavqkbgbx/k9qc/wxf8ui6r650jn8hiffi0nr6brscnmd0od7bjpf2b4tkv1ap CwSWj/BxYt9agncccXyEG8vHVLCtJYNYHJ/+OwID0ttN9dLE2fLPV1sgigMSY9oP R9KrLT+LPKL1V11s033vuLcD6jOknH2klKNRsNyxjGt+of0YxRaw -----END RSA PRIVATE KEY BEGIN CERTIFICATE----MIID0zCCArugAwIBAgIJAOcfWOxpBWD+MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD VQQGEwJDQTEPMA0GA1UECAwGUXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEPMA0G A1UECgwGTWVkaWE1MQwwCgYDVQQLDANUQUMxFjAUBgNVBAMMDTE5Mi4xNjguMS4y MjYxITAfBgkqhkiG9w0BCQEWEnRuZ0BtZWRpYTVjb3JwLmNvbTAeFw0xNTEyMDEx MTQ4MThaFw0yNTExMzAxMTQ4MThaMIGKMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEPMA0GA1UECgwGTWVkaWE1MQwwCgYD VQQLDANUQUMxFTATBgNVBAMMDDE5Mi4xNjguMS4zMTEhMB8GCSqGSIb3DQEJARYS dgfjqg1lzglhnwnvcnauy29tmiibijanbgkqhkig9w0baqefaaocaq8amiibcgkc AQEAuxKDO66oKOigcHQ1r1lnXLiQT9R0oQkE/ppODo9vXZVsc8D6uyFldRoDnm6w BHbbrhLgBfsZ5nVHwZ2KCsjJB2THehDXUskLS/4EWMveLcrzGygH+qjHArwYmYQd EQrYrd/RqkDgnR2j9gocZBRXBfAWYtLgacJe4xlPy317JyR7YrlLQfv2hZAXqSdu tmyjcyso405oev1dv7kfidqvxp74qsh0jgmw4kq0eqdkfo+xkwlppidyyihi+5tg Wz4YoMRbZHZfKF+VdwOGAeSy2X+QCmHP81GR+SPefHzzn9oUk0HaDpjAPgKWUaaJ PHrC8k+gsu6WiO+dCRcUWnX47QIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQE AwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEL BQADggEBAEX1sxk/Ad4aVOrPk2oE/dzOmFmq4LeucYw9uJ6F7SdewAU8pghXMvBu cowvtofdemrtvpmsdghspmxsgtyl4dbwfj2ybpfofk6bdnzamu3gw37+wxy0w7tw 1ea+kWN4v6Dv/GaOuBxQ4pAN2lQaDc99fMSp3G3TCFW4lh0lBEeBxvZOpHwuLrcd 1IbdPNy7z13Ko0639B935Lj1CRGpzEvgSgGtcMhkLifLAL7dhlVcU7fLIAOz5Kov A7OESnlj8V8DuVirBTNUKGqgY/36g87e7n8g84Xse86vEFhppKzCcZtDIKQ5KvTv +ilgqls9mjhaurunv9+jjx1spv8fzp0= -----END CERTIFICATE----- Next Step Importing a Host Certificate to the Mediatrix Unit (p. 10) >

10 10 Importing a Host Certificate to the Mediatrix Unit Before you start You must have an SNTP server for current date and time. 1) 2) 3) 4) 5) 6) Go to Management/Certificates. Click Activate unsecure certificate transfer. From the Type selection list, select Host. Click Browse and select the Host certificate. Click Apply In the Host Certificate Associations table, select the services that Host Certificate should be associated with. Note: A Host certificate is by default associated with all services. Several Host Certificates can be imported and associate with one or several services. 7) Click Apply. Result This is an example of the result of a Host Certificate imported and associated with all services.

11 11 Documentation Mediatrix units are supplied with an exhaustive set of documentation. Mediatrix user documentation is available on the Documentation Portal. Several types of documents were created to clearly present the information you are looking for. Our documentation includes: Release notes: Generated at each GA release, this document includes the known and solved issues of the software. It also outlines the changes and the new features the release includes. Configuration notes: These documents are created to facilitate the configuration of a specific use case. They address a configuration aspect we consider that most users will need to perform. However, in some cases, a configuration note is created after receiving a question from a customer. They provide standard step-by-step procedures detailing the values of the parameters to use. They provide a means of validation and present some conceptual information. The configuration notes are specifically created to guide the user through an aspect of the configuration. Technical bulletins: These documents are created to facilitate the configuration of a specific technical action, such as performing a firmware upgrade. Hardware installation guide: They provide the detailed procedure on how to safely and adequately install the unit. It provides information on card installation, cable connections, and how to access for the first time the Management interface. User guide: The user guide explains how to customise to your needs the configuration of the unit. Although this document is task oriented, it provides conceptual information to help the user understand the purpose and impact of each task. The User Guide will provide information such as where and how TR-069 can be configured in the Management Interface, how to set firewalls, or how to use the CLI to configure parameters that are not available in the Management Interface. Reference guide: This exhaustive document has been created for advanced users. It includes a description of all the parameters used by all the services of the Mediatrix units. You will find, for example, scripts to configure a specific parameter, notification messages sent by a service, or an action description used to create Rulesets. This document includes reference information such as a dictionary, and it does not include any step-by-step procedures.

12 12 Copyright Notice Copyright 2017 Media5 Corporation. This document contains information that is proprietary to Media5 Corporation. Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents. This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation. Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.

13